Most people understand the domain name to be a list of characters, used to denote a website’s address or URL. However, while the domain name may seem like an innocuous concept, it is more complex than most people think because of the mechanisms that make it possible. Domain names are closely tied to the Domain Name Service (DNS). The DNS functions on an ecosystem of devices, agencies, and other actors. Because of all these facets, there are multiple ways to expose companies to security risks through the domain name and the domain name service.
This guide will explore how cybercriminals can hijack your domain name and steal valuable data. Additionally, we’ll examine a few steps you can take to protect yourself from domain name-related exploitation. Below, we will start with a list of concepts related to domains and domain names, to make it easier for you to understand how cybercriminals can use the domain name to damage your company’s brand and steal data.
What is the domain name system?
Domain names were invented to make internet protocol (IP) addresses more accessible. An IP address is a set of numerical values corresponding to each network device accessing the internet. They identify a computer or any other device’s location on the world wide web.
Because IP addresses are a unique string of numbers, remembering the IP address for every website you want to visit is highly impossible. This is why domain names are so important. They are easy-to-remember stand-ins for IP addresses.
The domain name system (DNS) is a digital directory that stores and provides information about which domain names correspond to IP addresses. In essence, the DNS converts domain names into IP addresses. Computers and other devices can use these IP addresses to communicate on a network. For instance, Openprovider’s domain name is https://www.openprovider.com. That’s much easier to remember as a company name than the IP address 22.214.171.124.
When you enter a domain name or URL into a web browser, the browser uses the DNS as a directory to match the domain name to the correct IP address. It then uses this information to retrieve the website associated with the domain.
The DNS ecosystem
The DNS ecosystem describes all of the the network devices, systems, and actors that use or are in connection with the DNS. A lot of work goes into maintaining the DNS ecosystem, including the development of protocols at organizations at the Internet Engineering Task Force (IETF) or the development of policies at organizations at ICANN.
The DNS ecosystem also involves organizations that may not necessarily have direct relationships to the DNS. For instance, the Regional Internet Registry (RIR), is responsible for distributing IP addresses, and the W3C consortium is responsible for specifying the protocols for the worldwide web. Additionally, it involves organizations such as the Internet Governance Forum (IGF) as well as various participants directly iinvolved in domain name activities, such as registries, registrars, internet service providers, and software developers. All of these entities are involved in the DNS ecosystem and are vulnerable to cyber threats related to domain names.
Types of domain name security risks
The DNS functions on a simple query-response protocol. When you insert the domain name into a web browser, the web browser sends out a query to a first resolver which then initiates a series of queries to authoritative servers. These authoritative servers either respond with a referral or an answer. This answer is returned to the originating application on behalf of the user.
When we talk about the vulnerabilities of the domain names and the domain name system, we have several factors to consider:
The DNS namespace is the universe of all possible names within the DNS. Traditionally, these consisted of alphanumeric values and a hyphen. However, as of recently, new “internationalized domain names” (IDNs) allow for the use of additional character sets in the presentation layer of the DNS.
This results in some risks related to the namespace, such as homoglyphs/homographs and typo-squatting. Bad actors can use these techniques to phish, hijack URLs, divert users, and damage your company’s reputation and online presence.
This is particularly challenging because it is easy to acquire low or no-cost SSL certificates that will give the browser user a digital padlock, indicating the connection is secure. This means that an insecure site can easily masquerade as a secure one. Furthermore, homographic and typo-squatting domain names don’t cost much to acquire these days.
Solutions for these vulnerabilities include user interfaces and applications that make IDN use more apparent. Several browsers now do not display the Unicode version of the strings. Instead, they show what is known as the Punycode (XN– strings).
Other mitigations include registries and registrars, who may hold limits on the registration of domain names. Some allocations of problematic domain names remain active to this day for historical reasons.
There are three separate classes of intrusions related to DNS services:
Attackers can change the domain name server to point to an attacker’s controlled authoritative servers. Avoiding redirection issues involves monitoring the addresses of a company’s name servers. Furthermore, if DNSSEC validation is implemented, name server changes that have not been signed will be detected by the validator.
DNS queries are answered by an attacker-controlled resolver. These exploitations also include drive-by attacks, in which bad actors break into residential Wi-Fi networks and change the resolver to point towards an attacker-controlled resolver. Similarly, they can break into an end user’s operating system and change the resolver configuration.
This is another case where the end-user must be vigilant. You must ensure that the local configuration is valid. If a company runs a local resolve on the end-user machine, you can also detect some of these attacks. Unfortunately, it is quite rare that DNSSEC validation is done at the endpoint, as it is usually done at a resolver upstream of the endpoint. If the attacker is redirecting away from that resolver, there’s no way the DNSSEC validation will detect it.
Distributed Denial of Service (DDoS)
Unfortunately, the DNS provides a way of amplifying DDoS attacks, as it is primarily User Datagram Protocol (UDP)-based. Bad actors can spoof source addresses and redirect traffic from multiple sources without any mechanism to validate that the query has returned to the right place.
A possible solution to prevent DDoS attacks involves limiting resolver use. Organizations can also implement response rate limiting that is deployable at the authoritative server level. While it’s an effective form of mitigation, it requires the authoritative servers’ participation.
DNS transitive trust
DNS transitive trust is a concept that many people do not know or understand. This concept describes a situation where a domain is configured to use multiple name servers in different namespaces.
If there is a compromise of any of those name servers located in any of those namespaces, then some queries can be compromised. Thus, anyone attempting to look up a name in that domain can get redirected incorrectly.
There are different levels where most domain name attacks occur:
- Registrant. The person registering the domain. If the registrant’s credentials are compromised, a bad actor can infiltrate the system and modify domain data. The use of registrar locks can help mitigate these types of attacks. It requires an out-of-band mechanism to unlock the domain for modifications to occur. In most cases, it’s an effective form of mitigation, but it is one susceptible to social engineering.
- Registrar. A retailer of domain names. If the registrar is compromised, then any of the names that are registered through them can be changed. To mitigate this type of attack, we can use a a registry lock. A registry lock essentially does the same thing as a registrar lock, except for at the registry level.
- Registry. If registrars are the retailers of domain names, then registries are the wholesalers. If the registry is compromised in any name, bad actors can alter the registry’s namespace in the same way as described above.
These attacks aren ‘t theoretical. A campaign that Cisco Talos dubbed “Sea Turtle” saw the domains of over 40 organizations hijacked through such tactics. In 2019, the domain world also saw the DNSpionage attacks. Both registries and registrars were the victims of these attacks, leading to a significant compromise of the names within those namespaces.
The biggest issue with the software side of the DNS is that the protocol has become exceedingly complicated. A term called the DNS Camel describes the problematic scenario when too many features are added to the protocol. The original DNS specification consisted of two documents known as Request For Comments (RFC). Currently, there are over 300 RFCs that are relevant to the DNS. Because of the complexity of DNS servers, anyone implementing one may create bugs.
To mitigate this, a diversity of strategies is a must. This involves using multiple implementations, compiling out or turning off unnecessary features, and placing your domain or name servers in a jail so bad actors won’t have complete access if it’s compromised. For software development companies, this means working with security-minded developers who understand the complexity of the DNS specification.
According to statistics, the average developer possesses less than 5 years of hands-on experience. Therefore, developers need to be upskilled and educated on the latest protocols and procedures regarding the DNS’s software vulnerabilities. Developers must be capable of identifying and mitigating API security risks related to your domain name portfolio and the DNS ecosystem.
Know the risks
Today, most companies tend to overlook domain, domain name, and DNS security risks. As a domain registrar, at Openprovider we see all these cases related to top-level domain names, including modern TLDs and ccTLDs. There are security blind spots that many companies are overlooking.
And even when companies are taking cybersecurity seriously, mishaps do occur. Threat factors related to digital certificates and the domain name ecosystem are the main ones that users and companies overlook. Not only do these mishaps leave corporations and their customers vulnerable to attacks, but they also affect companies’ online presence. Online presence is crucial for any company, and therefore serves as an attack surface for bad actors to target. Bad actors will target the corporate website, the email infrastructure, and vulnerabilities within the corporation’s exposed applications.
If corporations fail to take the appropriate actions to protect their domain name ecosystem, this may result in compromised email security and other network breaches. Cases such as these could result in the jeopardization of an organization’s brand in the offline real world. Even worse, you could experience revenue leakage or data exfiltration, in which case attackers could sell employee or customer data on the Dark Web, the internet’s black market.
How to secure your domain name ecosystem
Today, there are many tools you can use to secure your domain name ecosystem. We have already mentioned many solutions for specific vulnerabilities. But on a policy level, the best way to achieve this is by adopting a comprehensive approach toward protecting your company’s online presence and digital assets.
You should look at your domain name as a portfolio that can be secured via registry locks. Your cybersecurity system should also analyze your domain posture. This is the first layer of protection.
It also helps if you have protection for your brand online. If exploitation were to occur, you should be able to protect your brand from abuse, grey market distribution, counterfeiting, etc. These tools are what domain cybersecurity specialists consider the second layer of protection.
This ties into the third layer of protection, which addresses fraud vectors. These include classic exploitations such as phishing, malware and ransomware. Thus, we must look at a corporation’s online presence and provide 360-degree cyber security coverage towards identifying and mitigating all these threat vectors.
Often, companies have more than one domain. Some of these domains may be restricted to certain geographical parts of the world. Thus, it’s important to work with a globally secured registrar and use a strong management platform to protect your domain name portfolio.
Again, your company must utilize early warning detection of critical threat vectors outside the enterprise’s parameters. These vectors include phishing, DNS hijacking, sub-domain-names masking, etc. It’s best to work with a globally recognized workforce and security company to mitigate this problem for you.
The DNS is a complex system that provides a ubiquitous service that is critical to the functioning of the internet. Each part of the DNS ecosystem has its own set of vulnerabilities, and mitigation of those vulnerabilities requires the participation of all the actors in the ecosystem. At Openprovider, we offer with different security solutions for all stakeholders in this ecosystem, such as Premium DNS, SpamExperts, SSL certificates and more, depending on the particular needs, operations, and size of our customers. Our 17 years of experience gives us the expertise to help you choose the right security solution for your customers.